Cyber security bill sails through Kentucky House committee

Kentucky Auditor Adam Edelen supporting the move

A bill that would improve electronic safeguards at state agencies, including notifying affected individuals of data breaches, flew through a House committee Thursday.

The House State Government Committee unanimously passed House Bill 5, which boasts 74 co-sponsors and has been pushed by Kentucky Auditor Adam Edelen after his office released an audit on cyber security in state government.

The audit found, for example, that an agency had inadvertently posted Social Security numbers, birth dates and other personal information of some employees on its website in 2012, and Edelen said he was "shocked" at the amount of information accumulated by government agencies — everything from tax filings to health records.

"Every citizen of Kentucky is impacted in the digital age by the collection of their personal data, and if you ask me in a sentence what this bill is about, this bill is about a government that collects your information has an obligation to inform you if they lose it," Edelen said during committee testimony.

HB 5 would require agencies and local governments to report security breaches — such as lost or stolen health records, banking information or Social Security numbers — to law enforcement, the state auditor's office and relevant state departments within 24 hours and notify affected individuals within 35 days. If more than 1,000 were affected, the Finance Cabinet and national consumer reporting agencies would be notified.

The bill would establish cyber security training through the Commonwealth Office of Technology and require agencies to encrypt confidential information on their computer systems. The legislative and judicial branches are not covered in the bill.

Edelen said COT's policy is to notify anyone affected by a security breach, but other agencies have no obligation to follow suit. The bill would create a uniform manner of handling cyber security at the state, he said.

Forty-six other states require such notification systems, Edelen said.

"While we like to be in Final Fours in Kentucky, let me assure you this final four is not one that we want to be joined in," he said.

HB 5's fiscal impact on local governments would vary from minimal to significant, depending on the community's size, technological capabilities and the magnitude of such data breaches, according to a Legislative Research Commission analysis of the bill.

The bill's administrative burden on municipalities would range from minimal to moderate because personnel and record-keeping policies may require updating and employees would spend additional time notifying people in the event of a security breach.

Edelen said in his testimony that improving technological systems would be cheaper now than dealing with a large-scale loss of data. South Carolina, where the state lost many individual and corporate tax returns to hackers in 2012, has paid $35 million and counting in the fallout of the breach, he said.

A committee substitute passed on HB 5 would allow COT to provide technical assistance to any local government requesting help, mitigating some of the costs outlined in the fiscal analysis, Stephenie Hoelscher, Edelen's spokeswoman, said after the meeting.